HubSpot updated its privacy policy on July 2, 2026, making three operational changes: (1) renamed 'enrichment products' to 'enrichment features' throughout the policy; (2) added a new section describing how the company collects Email Engagement Data (open, delivery, bounce, and click statuses) from emails sent through HubSpot's Subscription Services using embedded tracking technologies; (3) removed a sentence that previously directed users to a form for removing their personal data from HubSpot's commercial dataset. The policy now includes email engagement tracking as an explicit data collection practice and consolidated references to the Tracking Code, but provides no new removal mechanism.
The updated policy now explicitly discloses that HubSpot collects Email Engagement Data (such as open, delivery, bounce, and click statuses) from emails sent through its Subscription Services using embedded tracking technologies. This represents formalization of a data collection practice into explicit policy language. However, the policy simultaneously removed a previously stated sentence directing users to a form for removing their personal data from HubSpot's commercial dataset. The updated terms do not indicate an alternative removal mechanism.
The updated policy formalizes email engagement tracking as an explicit data collection practice, which affects how HubSpot customers' email campaigns are monitored and how email recipient data is processed. Simultaneously, the removal of the data removal process language eliminates a stated user pathway for requesting data deletion, which may create ambiguity about compliance with GDPR erasure rights and CCPA/CPRA deletion rights unless HubSpot has provided an alternative mechanism.
→ Email engagement data (opens, bounces, clicks) will be collected via embedded tracking technologies as stated in the updated policy when emails are sent through HubSpot's Subscription Services.
→ The mechanism previously stated in the policy for removing personal data from HubSpot's commercial dataset is no longer referenced in the updated policy.
Explicitly discloses collection of email open, delivery, bounce, and click statuses via embedded tracking technologies in emails sent through HubSpot's Subscription Services.
Previously stated reference to a form for removing personal data from HubSpot's commercial dataset is no longer included in the policy.
Language updated to clarify that enrichment 'products' are now referred to as 'enrichment features' and now explicitly includes Email Engagement Data as a source for commercial dataset enrichment.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
HubSpot now formally states it collects data about whether you open emails, whether they bounce, and which links you click in emails sent through its platform.
The policy no longer includes a reference to how you can request removal of your data from HubSpot's commercial dataset.
HubSpot's July 2, 2026 privacy policy change adds explicit disclosure of email engagement tracking practices and removes language referencing a data removal process. Organizations using HubSpot to send emails should understand that engagement data is now contractually described as collected data. The removal of the data removal process language may create compliance considerations under GDPR (Articles 6, 21) and CCPA/CPRA (right to opt-out, deletion rights), particularly if no alternative mechanism for data removal is provided. Vendors incorporating HubSpot into their own service delivery may need to evaluate whether this change affects their own privacy notices, data processing agreements, or vendor contracts.
GDPR (right to erasure, Articles 6, 17; lawful basis for processing), CCPA/CPRA (opt-out rights, deletion rights, notice requirements), CASL (Canada, consent for email), CAN-SPAM (US, transactional email rules)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003407.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorHubSpot updated its Terms of Service on July 2, 2026, with changes primarily focused on AI governance and product naming. …
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the …
TikTok's data collection extends to device sensors, clipboard content, geolocation, and cross-site tracking. Here is what their Privacy Pol…
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.